Law firms and corporate legal departments are rushing to adopt AI at a remarkable speed. But whether in a global law firm or a corporate law department, the same challenge arises: AI maturity is impossible without a foundation of information discipline. As agentic AI systems proliferate across legal workflows, the enthusiasm is understandable: efficiency gains, competitive pressure, and client expectations are all pushing firms to modernize quickly. McKinsey’s analysis of over 50 agentic AI implementations reveals that companies are rapidly deploying AI agents across everything from document review to contract analysis.

But beneath the excitement lies a troubling reality. Gartner predicts that by 2027, three out of four AI platforms will include built-in tools for responsible AI and strong oversight—yet companies that lead in ethics, governance, and compliance will gain a significant competitive edge precisely because so few are prepared. Only four percent of law firms report full compliance with their own Information Governance (IG) policies, according to Mattern Associates’ 2024 Information Governance Survey. That gap reveals a structural vulnerability that threatens to undermine every technology initiative firms are pursuing. The truth is, technology cannot fix what governance has left undone. And as firms accelerate their digital transformation, many are discovering that their biggest obstacle lies within the chaos of their own data.

The Policy-Practice Divide

Most law firms have IG policies. What they do not have is meaningful compliance in practice. Years of growth, mergers, and competing priorities have created a patchwork of systems, repositories, and behaviors that policies alone cannot reconcile. Corporate legal departments face similar strains. Years of decentralization, shadow IT, and matter-driven work patterns create fragmented repositories and inconsistent ownership models that mirror what law firms experience.
The symptoms are familiar: documents scattered across drives and email. Retention schedules that exist on paper but are not enforced. Legacy records are accumulating with no clear ownership. And a persistent “save everything forever” mentality that makes risk exposure inevitable. The consequences are real. Firms face subpoenas for matters that closed decades ago—storage costs balloon. Client audits become scrambles. And when firms attempt to deploy AI tools on ungoverned data, they risk amplifying inaccuracy and exposure rather than reducing it.

The Expanding Regulatory Landscape

The urgency of governance has intensified with the proliferation of privacy and AI regulations. As of 2025, 19 states have enacted comprehensive privacy laws, creating compliance obligations that flow directly into law firm operations and client service delivery. For corporate legal departments, these requirements flow directly into enterprise-wide compliance responsibilities, making effective governance essential to partnering with the business.

The IAPP’s research documents how organizations are grappling with “digital entropy”—the challenge of managing privacy, AI governance, and cybersecurity across previously siloed functions. For law firms, this convergence is critical. Automated decision-making provisions in state privacy laws intersect directly with AI deployments. Colorado’s AI Act requires developers of high-risk AI systems to protect consumers from algorithmic discrimination and conduct impact assessments. California’s CCPA regulations require risk assessments for automated decision-making and allow consumers to opt out.

Meanwhile, more than 40 states have enacted AI-related laws covering deepfakes, government use, and healthcare applications. This patchwork creates compliance complexity that can be managed only through disciplined information governance.

From Policy to Practice: The Operational Layer

When Nixon Peabody LLP, an Am Law 100 firm with more than 600 attorneys, decided to tackle its Information Governance challenges, leadership recognized that internal initiatives had stalled. The firm did not need another policy revision—it was execution.
The firm brought in outside expertise to drive implementation. The consultant operated as an embedded team member—meeting with department heads, understanding workflows, and designing a governance structure that could be adopted across diverse practice groups.

The approach was pragmatic: build firm-wide standards while remaining flexible enough to accommodate how different departments work. The work moved beyond policy into tangible execution: identifying legacy records for defensible deletion, coordinating destruction protocols, managing client notifications, and stabilizing operations when internal resources became unavailable.

This is what the operational layer of governance looks like—the bridge between legal, IT, and records that turns frameworks into functioning systems. The same operational gap appears in corporate legal departments, where lean teams must manage retention, privacy compliance, AI risk, and cross-department collaboration without dedicated IG resources—making execution support just as critical as it is for firms.

Why Governance Is the Gateway to AI Readiness and Regulatory Compliance

AI is only as good as the data it ingests. For law firms and legal departments sitting on decades of ungoverned information, that’s a serious problem. McKinsey’s research on agentic AI implementations reveals a consistent lesson: success requires fundamentally reimagining entire workflows—not just deploying agents, but redesigning how people, processes, and technology work together. AI tools require clean, consistent, well-structured data to function effectively. Feed them duplicated files, inconsistent metadata, or poorly classified documents, and the outputs become unreliable—or worse, create new liability.

Consider the ethical risks already emerging. High-profile cases have seen attorneys sanctioned for submitting AI-generated briefs containing hallucinated citations. These incidents have prompted the ABA to issue formal guidance reminding firms of their duties of competence, confidentiality, and supervision when deploying AI tools. Poor data governance doesn’t just increase the likelihood of these errors—it undermines a firm’s ability to respond defensibly when they occur.
The intersection with privacy regulation makes governance even more critical. When state privacy laws grant consumers the right to opt out of automated decision-making that produces “legal or similarly significant effects,” firms must be able to identify where such systems are deployed, what data they process, and how to honor opt-out requests. Without governance infrastructure, compliance becomes impossible.

Corporate clients are becoming increasingly sophisticated about these requirements. Sixty-five percent now include IG requirements in their outside counsel guidelines, according to the Mattern Associates survey. These include expectations around document retention, file ownership, digital security, and access protocols. Firms that can’t demonstrate governance maturity risk being excluded from panels and repeat engagements.

The regulatory landscape is tightening rapidly. Gartner predicts that by 2027, fragmented AI regulation will cover 50% of the world’s economies, driving $5 billion in compliance investment. For law firms, this means governance isn’t just about internal policy—it’s about meeting evolving client demands and regulatory requirements that will only intensify.

The message is clear: governance isn’t a barrier to innovation—it’s a prerequisite. Firms that attempt AI adoption without first establishing information discipline will find themselves navigating ethical pitfalls, regulatory violations, client dissatisfaction, and operational instability. Those who build from a foundation of governed, reliable data will be positioned to lead.

What Technology Leaders Should Be Doing Now

For ILTA members navigating this landscape, the path forward requires shifting how governance is understood and prioritized.

First, recognize that IG is not a back-office function. It’s a strategic enabler that determines whether firms can respond to client audits, train AI tools confidently, comply with privacy regulations, and empower professionals with accurate information.

Second, embrace digital governance as an integrated discipline. Organizations can no longer treat privacy, AI governance, cybersecurity, and information management as separate domains. This means establishing cross-functional governance councils that unify Legal, IT, Privacy, and Operations around shared objectives.
Third, move from policy creation to implementation. Most firms don’t need better policies—they need execution. Assign clear ownership and accountability for data assets. Ensure governance structures can respond to state privacy laws and AI regulations.

Fourth, audit existing systems honestly. Identify where data lives, how it is used, whether automated decision-making systems are deployed, and whether policies align with practice. Closing gaps requires hands-on coordination—configuring systems, training users, documenting AI use cases, and creating mechanisms for sustained accountability.

Fifth, align governance initiatives with regulatory compliance, client expectations, and technology roadmaps. IG work shouldn’t happen in isolation from AI adoption, privacy law compliance, or cybersecurity investments. These initiatives depend on well-governed data to succeed.

The Foundation for What Comes Next

Whether legal professionals sit inside a global law firm or a corporate legal department, the path to responsible AI and operational excellence begins with the same foundation: disciplined, defensible, and well-governed information.
Transformation does not happen in a vacuum. It requires infrastructure, discipline, and trust. Law firms and legal departments that jump headfirst into AI adoption without first investing in Information Governance are likely to encounter inconsistent outputs, ethical exposure, regulatory violations, and reputational risk.

The firms that will lead are not necessarily those with the most AI tools or the most significant technology budgets. They are the ones with the cleanest, most trusted data—and the operational discipline to keep it that way. They are the firms that understand governance as the connective tissue binding privacy compliance, AI responsibility, cybersecurity, and operational excellence into a coherent whole.

In an era of accelerated technological change and regulatory expansion, governance is not what slows firms down. It is what allows them to move forward with confidence—meeting client expectations, satisfying regulatory requirements, and deploying AI systems that enhance rather than undermine the quality of legal services.

For technology and operations leaders, the question is not whether to prioritize governance—it is how quickly you can close the gap between the policies you have and the practices you need. Because in the end, every modern law firm initiative—from AI implementation to privacy compliance to client trust—depends on getting information discipline right first.